[PATCHES] GPO support for client machine policy

[PATCHES] GPO support for client machine policy

These patches add Group Policy support for client machines. Adds a
winbind event that calls samba_gpoupdate to apply local machine
policies. Adds the option "winbind gpupdate" to smb.conf, which
determines whether group policy will be applied to the client. This is
*disabled* by default for now. Users will need to manually enable this
to see the new functionality.
To start off, we only have Environment Variable policies.

Re: [PATCHES] GPO support for client machine policy

Hi,

So, on a DC, does this actually run simultaneously with the gpo service
that was written earlier? Having two running together doesn't sound like
a good idea. Should the earlier one just be removed instead?

Re: [PATCHES] GPO support for client machine policy

Yes, they would run simultaneously, but they apply different things.
They also run on different intervals.
If you look at samba_gpoupdate where it sets gp_extensions, you'll see
it sets the extensions to apply based on the type of apply (KDC, client
machine, or user which isn't available yet).
I had considered removing the KDC service, but I think it is fine as is.
The way it is now, if they choose not to configure winbind, kdc policy
is still applied. The client policy is then only applied if they
configure winbind and treat the kdc as a client also.
But, this also means an extra setup step for group policy on a KDC. You
must enable both the service service for the KDC, and winbind gpupdate
for the client policy.

Re: [PATCHES] GPO support for client machine policy

On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
> Yes, they would run simultaneously, but they apply different things.
> They also run on different intervals.
> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
> it sets the extensions to apply based on the type of apply (KDC, client
> machine, or user which isn't available yet).
> I had considered removing the KDC service, but I think it is fine as is.
> The way it is now, if they choose not to configure winbind, kdc policy
> is still applied.

Re: [PATCHES] GPO support for client machine policy

Right. Then maybe Garming is right, we probably don't need the KDC
service, just the one attached to winbind.

On 12/06/2017 11:02 AM, Andrew Bartlett wrote:

> On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
>> Yes, they would run simultaneously, but they apply different things.
>> They also run on different intervals.
>> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
>> it sets the extensions to apply based on the type of apply (KDC, client
>> machine, or user which isn't available yet).
>> I had considered removing the KDC service, but I think it is fine as is.
>> The way it is now, if they choose not to configure winbind, kdc policy
>> is still applied.
> To be clear, winbindd is a mandatory part of the AD DC.
>
> Andrew Bartlett

Re: [PATCHES] GPO support for client machine policy

Hi David,

is it also possible to have something useful as a domain member?
It would be nice if we could remove the lockout_policy() and
password_policy() hooks from winbindd_methods and make sure
the gpo code applies the correct settings to the local
account_policy.tdb

metze

Am 06.12.2017 um 19:10 schrieb David Mulder via samba-technical:

> Right. Then maybe Garming is right, we probably don't need the KDC
> service, just the one attached to winbind.
>
> On 12/06/2017 11:02 AM, Andrew Bartlett wrote:
>> On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
>>> Yes, they would run simultaneously, but they apply different things.
>>> They also run on different intervals.
>>> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
>>> it sets the extensions to apply based on the type of apply (KDC, client
>>> machine, or user which isn't available yet).
>>> I had considered removing the KDC service, but I think it is fine as is.
>>> The way it is now, if they choose not to configure winbind, kdc policy
>>> is still applied.
>> To be clear, winbindd is a mandatory part of the AD DC.
>>
>> Andrew Bartlett
>

Re: [PATCHES] GPO support for client machine policy

I think you should replace
elsif creds.machine_account():
with
elsif opts.machine:

And --machine should be mandatory until we also implement --user.

I think we should not add pycredentials creds.machine_account()

I think the gp_file_append.py code should be extended to include
a checksum in self.section_end and only update the settings
if the checksum of stuff between self.section and self.section_end
still matches the checksum.

In addition to the "winbind gpupdate" option it might
be good to configure which policies the admin wants to be evaluated.
As admin I'd like to disable any policies that modify /etc/*,
while keeping the stuff that applies to samba internals.

As we now only install samba_gpoupdate, when we install the AD DC,
we need to either remove that limitation or make it clear in the
documentation that this is only evaluated on an AD DC.

Commands like 'wbinfo --gpoupdate-status', 'wbinfo --gpoupdate-check'
and 'wbinfo --gpoupdate-force' would be good.

Would it make sense to support third party gpo evaluation scripts?
So that admins could write their own stuff to manage
/etc/someapplication.conf

Re: [PATCHES] GPO support for client machine policy

Am 06.12.2017 um 19:10 schrieb David Mulder via samba-technical:
> Right. Then maybe Garming is right, we probably don't need the KDC
> service, just the one attached to winbind.

Yes, only one please.

Maybe we should have the different evaluation scripts in a generic way
similar to ctdb event scripts, so one .py file for each task.
where an admin could use something like 'touch
/path/to/python/samba/gpoupdate/scripts/machine/50.kdc_policy.py.disabled'
in order to
disable the evaluation of that policy.

I think it should also be on by default on an AD DC.

metze

> On 12/06/2017 11:02 AM, Andrew Bartlett wrote:
>> On Wed, 2017-12-06 at 06:39 -0700, David Mulder wrote:
>>> Yes, they would run simultaneously, but they apply different things.
>>> They also run on different intervals.
>>> If you look at samba_gpoupdate where it sets gp_extensions, you'll see
>>> it sets the extensions to apply based on the type of apply (KDC, client
>>> machine, or user which isn't available yet).
>>> I had considered removing the KDC service, but I think it is fine as is.
>>> The way it is now, if they choose not to configure winbind, kdc policy
>>> is still applied.
>> To be clear, winbindd is a mandatory part of the AD DC.
>>
>> Andrew Bartlett
>

Re: [PATCHES] GPO support for client machine policy

On 12/06/2017 11:57 PM, Stefan Metzmacher wrote:
> Hi David,
>
> is it also possible to have something useful as a domain member?
> It would be nice if we could remove the lockout_policy() and
> password_policy() hooks from winbindd_methods and make sure
> the gpo code applies the correct settings to the local
> account_policy.tdb
I think this will need to be covered in follow up patches, but I agree,
within client machine gpo update is exactly where these should be done.
This will require adding some more python-c bindings I think. I'll look
into this next.

Re: [PATCHES] GPO support for client machine policy

> As we now only install samba_gpoupdate, when we install the AD DC,
> we need to either remove that limitation or make it clear in the
> documentation that this is only evaluated on an AD DC.
Look at the changes to source4/scripting/bin/wscript_build and
source4/scripting/wscript_build. These force the install to happen
everywhere, instead of just on the AD DC.

Re: [PATCHES] GPO support for client machine policy

> I think it should also be on by default on an AD DC.
I don't see where we'd set winbind gpupdate to on by default just for
the AD DC. If I set the default to True, then it will just always be on
(even on a client machine).

Re: [PATCHES] GPO support for client machine policy

On Sat, 2017-12-02 at 08:54 -0700, David Mulder wrote:
> These patches add Group Policy support for client machines. Adds a
> winbind event that calls samba_gpoupdate to apply local machine
> policies. Adds the option "winbind gpupdate" to smb.conf, which
> determines whether group policy will be applied to the client. This is
> *disabled* by default for now. Users will need to manually enable this
> to see the new functionality.
> To start off, we only have Environment Variable policies.

I'm not really comfortable with this changing /etc/profile by default.
It is one thing to change the kdc configuration and the password
settings (as that is the way it should be done), but trying to apply a
windows PATH policy into the unix world just feels wrong, or at least
unexpected.